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ft FM ARKS 

date* 1-7, 9. <md 1 1-30 are «B1 pending in this application. Clam* 8 and 10 have been 
IW «l~l«*-'-«<<*.S. dahnsSand.Ohavebeea cancelled. Recnnsideranon 
of the application is earnestly requested. g» 

c 

Res ponse to Office Action. £ 

The Examiner has maintained the rejection of the claims in view of Chess and U 

Chandnani. In the recent final office action (page 4) and in the current office action, it is stated Cf 
that Applicants have failed to explicitly identify specific claim limitations which would define a 
patentable distinction over prior art. To the contrary, A npHcut submits that the Repl V mailed | 
te 0 9005 very gfigafic^ « ^ "™ daim " ^ ilKtepmdflnt £ 
bairns that was not preset jn anv " f the cited <g 

Applicant detailed very carefully why the Chess and the Chandnani references are not CD 
relevant and pointed out which elements of the claims the references do not teach or suggest 
For example, the three steps of claim 5 not present in Chess. Claim 1 5 requires extracting, 
linearizing and detennining key actions; Chess does not teach or suggest such steps. Claim 1 
requires "generating a language independent representation of the portion of the interpreted 
language source code." Chandnani does not teach or suggest generating a language independent 
representation of interpreted language source code. Claim 1 1 requires extracting and linearizing 
key actions and comparing the executing thread; the steps are not taught or suggested by 
Chandnani. Claims 21 and 25 are Beauregard claims mat are similar to the above claims. 
Various of the dependent claims also contain features not present in the cited art as detailed in 
the previous Reply. 
Res ponse to Argum ents— Chess 

In the current Office Action the Examiner presents a Response to Arguments starting at 
page 3 in which specific sections of the prior art are relied upon as disclosing features of the 
independent claims. 

The current Office Action now cites column 4, line 38 to column 5, line 2 and column 1 1 , 
lines 39 to 56 of Chess as disclosing claims 5, 7-10, 15-20 and 25-30. But, columns 4 and 5 only 
disclose a comparison of a host computer file and an infected version of the host computer file. 
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features of the independent claims are not disclosed. 
ClaimS, 

data, 5 requires ■ M U« U « aB U>H*B«l^^ 
eo^er virus" Cto does notteach or surest*, imerpreted language tat contains a 

diseases host and infected files written in binary code or bytes. There is no discussion of source 
code or of an interpreted language. 

Ctoim 5 also requires ^MrtwOM* ^ « W «■» 

source code that is parsed into tokens. 

CUim 5 also require* "gsnesfi,,^^ 
J - c ^- ; -. 1r -*, rfa -«*»- ThatpordnnofC^sreUedupondoe.no.disclose 

Iri*. .n *«. Figure 4 simply shov« manipulation of byte codes, the language m wbrch 



"n is a 



Claim5 also requires that-fly Wuaf? jndependsnt 
faction," The Office Action relies upon column 12 of C*ess for this ~£ 

Tecnons of byte codes, some being variable over samples, some being consmn, A by* .code* 
n« a » k ey action" as described in ft. Specimen of die hrs»nt appUc.no. ~ 
"hnearized." As described in the Specification of the instant application, linearized refers m 
re^anging portions of me virus code such thatdiey sppaar in the order m»hidbtheya I e 
evened; Figure 4 simply shows mat me byte codes of the computer vims are left as ,s. 

Claim 5 also requires '^m^^^^^^^^ 
^ m ^ mMssmss .- BecauseC^doestmtasclose.language-ind^nt 

no teaching that this signature is stored for later use. 
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Claim 15 i 
Those features of claim, 15-20 similar to tlie above features of claims 5-10 that have ;■ 

a^adybeendiscussed^ ■ 
Former, claim 15 requires -rnrtgrtiup key actions," "Hnmirin p key actions; ' 

.^^^^vt^lnM&ar "sjoringj.e^^ 

vi^^ature" Respectfully, it is pointed out that columns 11 andl2of Cto do not involve 
extracting, linearizing or determining key actions. Again, itis pointed out that Figure 4 of Chess 
simply discloses placing the virus code into sections and determining which sections remain 
constentoversamplesand^chsectionsarevariable. None ofthe above-cited steps of claun 

1 5 are taught or suggested in Chess . 

Res ponse to Arfnimeats ^handmmi ^ 

^current Office Action now c^^ 8 ' 

disclosing claims 1A, 11-14 and 21-24. But, paragraph 16 only discloses detecting a scnpt ^ 

language virus using language description data dependent on the script language. Claim 1 ffl 

requires a language ind^endeBi representation. Paragraph 20 only discloses that the incoming «j 

data stream (the script language) is converted into a stream of tokens; paragraph 29 discloses ^ 

Lexical anal^is of a data stream. Claim 11. though, requires further steps as explained below. < 

Paragraphs 51-56 (and paragraph 50) describe creating viral code detection data (a detection j- 

regimen) from samples of script language viral code. The detection regimen is converted to g 
binary format and then matched against suspected viral code (such as a corrupt system macro, as 
shown). But, the independent claims require distinctive features as explained below. 

Clflirns 1-4 

Claim 1 is a method for identifying a computer virus in interpreted language source code. 
After a portion of the code is received, the second step of the claim requires "genemtmgjl 
language jBde nenjentaejges ^fin «f fh n p ortion o f the ^ jangl es source cod e." 
The third and fourth steps also require the "language-independent representation" limitation. 
Use of a language-independent representation is beneficial because it can better detect 
polymorphs of scripting language viruses. 

By contrast, Chandnani does not teach or suggest generating a language-independent 
representation of the interpreted language source code to be scanned for a virus. Chan*** does 
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■ ^ ♦ *+™.™« T^m-umtin" script code is fed into a detection 
show in Fisure 2 that an incoming data stream represents,, scrip 

snow in figure u c < 7 _/s? \ The lexical analyzer converts the data 

engine 53 that has a lexical analyzer. (Paragraphs 57-62.) The lexical an yz 

^isnotala^guageind^ 

very much a language dependent stream of characters, language constructs, symbols, etc., that 
represent a particular scripting language. 

Because the second step of claim 1 is not taught or suggested, it is requested that the 
rejection be withdrawn. 

Claim 3 requires that "the virus signature is a language independent representation of an 
interpreted language source code computer virus." The data stream of tokens in Ovndnam is 
compared to the virus detection data from database 57 . But the virus detection data is not a 
languag e independent representation of source code. The virus detection data is a pattern of 
tokens or a CRC signature check (Paragraph 5 1), neither of which is a language independent 
presentation. Further, because the virus detection data is compared directly to the stream of 
tokens (the tokens representing the particular script language used), the virus detection data must 
also be in the form of the particular script language being used (Paragraph 64). If the virus 
detection data were in a language indent form it would not be possible to match the stream 
of tokens which are in a language pendent form. The Office Action cites paragraph 55 as 
disclosing that the virus signature is in a language independent representation, but paragraph 55 
only discloses that DFA data is used to transition from one stage in a pattern match operation to 
the next. The actual pattern match data (Le., the virus signature) is still in a language dependent 
form. 

Claim 4 requires that both the source code and the virus signature "are presented as a 
linearized string of key actions." As discussed above, Chandnani does not disclose key actions 
nor a linearized string. 

Claims 11-14 

Claim 1 1 requires selected key ,rtions from fee tokmi^d source code, " 

■n;^^ Wev acti- - — ™* — ^ thread and "com parin. the executing 

^ . si^~ .f .known virus." As pointed out above in the overview of 
Cnandnani, once the incoming data stream is converted into a stream of tokens there is no other 
processing performed upon the tokens and no further representation of th. teken^ 
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Ps^bs 57-64 only asciose fet fe incoming data sbeam * ««-- <- ' ^ 

.gptod steps «* ■Tlffn.ftW t-Mfid VtY kaSaa3B£S !f^^_ nieUesupon 
^Lccstotod- » no« «ught or suggested by Oumirumi. V» Office Acnon reltes upon 

I converted into a » of tokens. Tae Office Action a!so cites patagtaph 64 but fes 
p^ph only disclosesfe. a pattern is matched against to token sBesm; fere ts no 

key actions ftoro the tokens in the first place. 

Wo-.AppUcantsubmitsfetfeclate are allowable and requesufetfe 
rejections be withdrawn. 

^prosecution. p.ease do no. hesitate to telephone fe understgned « (612) 252-3330. 

Respectfully submitted, 
BEYER WEAVJEBf A THOMAS 




Joijkthan O. Scott 
Registration No. 39,364 




Beyer Weaver & Thomas, LLP 
P.O. Box 70250 
Oakland, CA 94612-0250 

Telephone; (612)252-3330 
Facsimile: (612)825-6304 
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